RSA Attackers May Have Hit 760 Other Organizations With Similar Malware

Security professionals believe the attack on RSA Security was not an isolated event and that several hundred other companies around the world were hit by similar incidents.

The malware used to compromise RSA Security earlier this
year may have been used in attacks against more than 700 other organizations,
according to a report by security writer and analyst Brian Krebs.
Facebook, Google and eBay are among the 760 organizations
that may have been hit by malware that used the same command and control
infrastructure as the one used in the RSA breach, security writer Brian Krebs
wrote on Krebs On Security on Oct. 24. Of the total list, about 20 percent are
considered to be Fortune 100 companies.

The organizations on the list had networks that were
compromised with "some of the same resources" used to hit RSA,
according to Krebs. The networks were "phoning home" to some of the
same C&C servers from the RSA breach, and the first attack could have been
as early as November 2010.

"No one has been willing to talk publicly about which
other companies may have been hit," Krebs said, noting that security professionals
had long suspected that RSA Security wasn't the sole victim of the
sophisticated malware that exploited several zero-day vulnerabilities.
These organizations were not compromised using data stolen
from RSA Security, Krebs warned, but were likely hit by an RSA-style
attack. The attackers may have been searching for information that could be
used to launch other secondary attacks such as the one launched against defense contractor Lockheed Martin in May.RSA Security disclosed in spring that some of its systems
had been infected by a malicious Excel spreadsheet booby-trapped with exploits
targeting zero-day vulnerabilities in Adobe Flash Player. The attackers had
targeted recruiters and human resources staff. Art Coviello, RSA's chairman,
warned about Advanced Persistent Threats and how adversaries are developing
sophisticated threats designed to lurk in networks and not be detected by
traditional defense systems.
Krebs did not disclose how the data was compiled or who
conducted the analysis. Security professionals provided the list of
organizations in a series of ongoing meetings with Congressional staff regarding
APTs, according to Krebs.
However, it was worth noting that the list may not be
entirely accurate because some of the organizations might not have been
actually targeted. Security organizations, such as McAfee, Fortinet and Computer
Emergency Response Team (CERT), on the list probably "intentionally
compromised" their own systems to reverse-engineer the malware, Krebs
said. Practically every major internet service provider around the world,
including China Telecomm, Comcast and the United Kingdom's Orange was also
included in the list, but it was more likely that one of their subscribers had
been infected by the malware instead of the service provider's networks.
With the information available, it is not clear how many
systems in each of the networks were actually infected or whether attackers
successfully transferred sensitive data to remote servers for every single one
of the victims. It is also not known how long the intruders were able to
persistently lurk in the network. The breach for some of these organizations
could have been minor, with only a single throwaway system, or it might have
been extensive with several systems compromised.
A majority, or about 88 percent, of the C&C servers used
in the attacks were located in China. There were other servers in South Korea,
Brazil, India, Italy, Pakistan, the United States and the United Kingdom. Krebs
said "the overwhelming majority" of the Chinese networks were located
in or around Beijing.